Analysis
-
max time kernel
160s -
max time network
170s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 15:49
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
Resource
win10v2004-20220812-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
-
Size
10KB
-
MD5
c4356d6506fed06bf83324222896e64f
-
SHA1
3932ecf0b9ae7e144180ae357cc72f05b2bb1963
-
SHA256
1f353369c80de1b1e98ded84be361263e75f56c109764fa3f5fa1d9b1df3a0c9
-
SHA512
d68f76f09183e84c729cb1f7f4d090dedf387925d7cfd80e369a89d17a13b488fb0c9fc10620da3f5d39cbad73d9ff8ac0bbefa79981f7693abe925d6b786e53
-
SSDEEP
192:ujGVmR2TsJcAALF+9kseWgN0l4TKmF8stYcFmVc03KY:uikRvJczLF+9ksxgfTKmFptYcFmVc03K
Malware Config
Extracted
remcos
Remote
79.110.62.46:50499
-
audio_folder
MicRecords
-
audio_record_time
5
-
connect_delay
0
-
connect_interval
1
-
copy_file
remcos.exe
-
copy_folder
Remcos
-
delete_file
false
-
hide_file
false
-
hide_keylog_file
false
-
install_flag
false
-
keylog_crypt
false
-
keylog_file
logs.dat
-
keylog_flag
false
-
keylog_folder
windowss
-
mouse_option
false
-
mutex
fg4wer4s5trgfqewdc-WR9LLO
-
screenshot_crypt
false
-
screenshot_flag
false
-
screenshot_folder
Screenshots
-
screenshot_path
%AppData%
-
screenshot_time
10
-
startup_value
Remcos
-
take_screenshot_option
false
-
take_screenshot_time
5
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Gbmevjs = "\"C:\\Users\\Admin\\AppData\\Roaming\\Fjkatm\\Gbmevjs.exe\"" SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exedescription pid process target process PID 4812 set thread context of 1684 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exeSecuriteInfo.com.Win32.PWSX-gen.7824.29061.exepid process 1124 powershell.exe 1124 powershell.exe 2328 powershell.exe 2328 powershell.exe 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exeSecuriteInfo.com.Win32.PWSX-gen.7824.29061.exepowershell.exedescription pid process Token: SeDebugPrivilege 1124 powershell.exe Token: SeDebugPrivilege 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe Token: SeDebugPrivilege 2328 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exepid process 1684 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exedescription pid process target process PID 4812 wrote to memory of 1124 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe powershell.exe PID 4812 wrote to memory of 1124 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe powershell.exe PID 4812 wrote to memory of 1124 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe powershell.exe PID 4812 wrote to memory of 2328 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe powershell.exe PID 4812 wrote to memory of 2328 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe powershell.exe PID 4812 wrote to memory of 2328 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe powershell.exe PID 4812 wrote to memory of 2736 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 4812 wrote to memory of 2736 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 4812 wrote to memory of 2736 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 4812 wrote to memory of 1684 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 4812 wrote to memory of 1684 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 4812 wrote to memory of 1684 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 4812 wrote to memory of 1684 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 4812 wrote to memory of 1684 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 4812 wrote to memory of 1684 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 4812 wrote to memory of 1684 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 4812 wrote to memory of 1684 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 4812 wrote to memory of 1684 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 4812 wrote to memory of 1684 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 4812 wrote to memory of 1684 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe PID 4812 wrote to memory of 1684 4812 SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" Get-Date2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMQAwAA==2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exeC:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.7824.29061.exe2⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD50c7b1f773054792a34ac1f1f1028d508
SHA1685550e071caf8e3cdce9e39742f77045ada620d
SHA256bac052566151eafb4cb4854fc118df007ef935cca22a90329aadcf4a1eca3fdc
SHA512aac9a074d53ef2be1c713542675345e6593c2fb7ffaf15562ed6de60d93251960aba32c9f08a586aba270e4a4fca0f3c3d68030579870321d4f95021e62ae824
-
memory/1124-137-0x0000000004CC0000-0x00000000052E8000-memory.dmpFilesize
6.2MB
-
memory/1124-143-0x0000000007270000-0x00000000078EA000-memory.dmpFilesize
6.5MB
-
memory/1124-136-0x0000000004510000-0x0000000004546000-memory.dmpFilesize
216KB
-
memory/1124-134-0x0000000000000000-mapping.dmp
-
memory/1124-138-0x0000000004B30000-0x0000000004B52000-memory.dmpFilesize
136KB
-
memory/1124-139-0x0000000004C50000-0x0000000004CB6000-memory.dmpFilesize
408KB
-
memory/1124-140-0x00000000053A0000-0x0000000005406000-memory.dmpFilesize
408KB
-
memory/1124-144-0x0000000006040000-0x000000000605A000-memory.dmpFilesize
104KB
-
memory/1124-142-0x0000000004840000-0x000000000485E000-memory.dmpFilesize
120KB
-
memory/1684-150-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1684-149-0x0000000000000000-mapping.dmp
-
memory/1684-151-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1684-152-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1684-153-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/1684-154-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2328-145-0x0000000000000000-mapping.dmp
-
memory/2736-148-0x0000000000000000-mapping.dmp
-
memory/4812-141-0x0000000006300000-0x000000000630A000-memory.dmpFilesize
40KB
-
memory/4812-132-0x0000000000E90000-0x0000000000E98000-memory.dmpFilesize
32KB
-
memory/4812-133-0x0000000005D40000-0x00000000062E4000-memory.dmpFilesize
5.6MB
-
memory/4812-135-0x0000000006550000-0x00000000065E2000-memory.dmpFilesize
584KB